šŸŽ“ļø Vulnerable U | #026

Attack Tree for Depression, UK Tries to Stop Security Patches, SIM-Swap Hack Steals $6.3M, and CloudNordic Servers and Customer Data Wiped by Ransomware

Author

Matt Johansen
August 25, 2023

Read Time: 9 minutes

Howdy friends!

Finally back home after 13 days on the road. After a few flight cancelations and a non-covid virus later, Iā€™m somewhat back to normal. Weā€™ve had some exciting things brewing over here at Vulnerable U that Iā€™m excited to share with you all soon.

For now, Iā€™m glad to be home, but sad Iā€™m not on a 65-degree rooftop in SF as we sweat through our 45th day over 100 degrees here in ATX.

.

Sneak Peak at the Blog of the Week:

Personally, the real triumph with applying mental health to a commonly known and used threat model is the value of seeing depression as part of a system that can be influenced. So many of us, weighed down by the sludge and fog of mental illness, know all too well feeling like there is no way out, no hope, and that nothing can be done to change it. Seeing depression as an outcome of a set of circumstances, leaves room for the belief that new circumstances, or at least a new combination of current or old circumstances, could change the outcome. New experiences. New tools. New communities. New chances for happiness.

One of the few diagrams used in threat modeling, attack trees have been a great tool for visualizing potential cybersecurity threats and vulnerabilities. These structured diagrams allow us to map out potential attack vectors, understand their root causes, and devise strategies to counteract them. But what if we took this concept, traditionally reserved for cybersecurity, and applied it to something deeply human and complex: mental health?

This week, I am going to treat depression like a threat and run it through this threat model, taking the concept one step further than I did in my recent blog Threat Modeling for Depressionā€¦

In this episode:

  • Threat Modeling for Depression Part II: The Attack Tree

  • Cellebrite asks cops to keep its phone hacking tech ā€˜hush hushā€™

  • Blockchain Capitalā€™s Bart Stephens Lost $6.3 Million In SIM-Swap Hack

  • Changes to UK Surveillance Regime May Violate International Law

  • Threat Actors Exploit Known Citrix ShareFile Flaw

  • Tesla 'insider' breaches personal data of more than 75,000 employees

  • Hackers exploit WinRAR zero-day bug to steal funds from broker accounts

  • Lapsus$: Court finds teenagers carried out hacking spree

  • Criminals go full Viking on CloudNordic, wipe all servers and customer data

  • Google built a feature to make MFA mandatory for admin accounts and can require two admins to approve sensitive changes

  • Discord March data breach notification to users affected

  • Scraped data of 2.6 million Duolingo users released on hacking forum

ICYMI

šŸ–Šļø Something I wrote: Doing a follow-up to a post of ours - The Top 5 Obstacles Newcomers Face in Infosec (And How to Overcome Them) - next week. If youā€™re new to us or want a refresher, this is a quick 7-minute read.

šŸŽ§ļø Something I heard: A recent episode of a favorite podcast of mine, Steven Levittā€™s People I Mostly Admire, about an ex-employee of Google X, Obi Felten: Can a Moonshot Approach to Mental Health Work?

šŸŽ¤ Something I said: Last weekā€™s news in about 10 minutes. Catch up here. Still playing around with the format for these videos, so share feedback if you have any!

šŸ”– Something I read: These couple of Twitter threads on how folks have made buckets of money on bug bounties: Justin Gardner on SSRF and Paywall Bypasses

Vulnerable News

The UK is attempting to expand and maintain its surveillance capabilities which has now stomped its way into thinking security updates would be bad if it limits its ability to spy on its citizens. This is absolutely ridiculous and will result in major damages up to and including lives lost.

ā€œDevice manufacturers would likely also have to notify the government before making available important security updates that fix known vulnerabilities and keep devices secure. Accordingly, the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes.ā€ (read more)

Holy crap. Worst nightmare scenario. CloudNordic, a major Danish hosting provider, was hit with ransomware this week, and due to it hitting during a database migration, the backups were hit too. They are telling their customers they are out of luck and to find a new provider. Domains, emails, documents, databases, all just gone. They are actually pointing customers to the Wayback Machine as a backup source.

The company has stated that they are not willing to pay the ransom demanded by the hackers. While the company believes there hasn't been a data breach, meaning the data wasn't stolen before encryption, the incident is terrifying and highlights the importance of OFF SITE backups. (read more) - (I hit this one on Twitter too)

Bart Stephens, the co-founder of Blockchain Capital, a prominent crypto fund, lost a staggering $6.3 million in cryptocurrencies due to a SIM-swap attack. In this type of cyberattack, hackers manipulate cellular network providers to gain control over a victim's phone number, allowing them to reset passwords and bypass security measures. The FBI has previously warned about the rise in such attacks, especially targeting individuals with significant cryptocurrency holdings. (read more)

Cellebrite, a company known for its phone hacking technology, has been providing tools to law enforcement agencies worldwide to unlock phones and access their data. Recently, a leaked training video revealed that Cellebrite advises its law enforcement customers to keep their use of its technology a secret. This has raised concerns among legal experts who believe that the use of such powerful technology should be transparent and open to public scrutiny. They argue that keeping the use of this technology secret could infringe on the rights of defendants in court. The company defends its stance by suggesting that revealing its techniques could aid criminals and make law enforcement's job more challenging. (read more)

ā€œGiven the number of instances online and the reliability of the exploit, we have already seen a big impact from this vulnerability.ā€

A critical vulnerability has been identified in Citrix's file-sharing application, ShareFile. If exploited, this flaw allows attackers to remotely compromise the ShareFile storage zone controller without authentication. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has emphasized the urgency of patching this flaw, as evidence of its exploitation has been found. This vulnerability poses a significant risk, especially since ShareFile is widely used for secure file sharing and transfer. (read more)

Tesla experienced a significant data breach where the personal data of 75,735 current and former employees was compromised. The breach was attributed to "insider wrongdoing," and it was discovered that two former Tesla employees were responsible for misappropriating the data and sharing it with a foreign media outlet. While the media outlet has assured that it won't publish the personal information, the breach raises concerns about the security of employee data in large corporations. Tesla has taken legal action against the individuals involved and is offering credit monitoring services to the affected employees.

Since they are suing the employees and have seized their computers, this makes me think the ā€œmisappropriationā€ was not accidental, but Iā€™m having a hard time seeing a motive to just mail a bunch of employeeā€™s PII to a media company. (read more)

The zero-day in WinRAR allows attackers to hide malware in ZIP archives and disguise the malicious files as innocuous file types such as jpg or txt. The attackers using this zero-day have been using it to target financial traders and illicitly access their brokerage accounts. These malicious files have been spread across various trading forums, and once a user is compromised, hackers can perform unauthorized financial transactions and siphon off funds. The cybersecurity firm, Group-IB, has identified at least 130 traders affected by this exploit.

More and more frequently, Iā€™m seeing online crypto accounts targeted. It seems the fact that these exchanges are unregulated is also having an impact on them being higher ROI targets for attackers since the victims have very little recourse to recoup their losses. (read more)

We covered the media discussing these ā€œteenage hackersā€ a few weeks ago, and now we get to watch the courts send them to jail. Government regulators are hot on this case because the age of the attackers is leading them to believe that our companyā€™s defenses are too soft if theyā€™re breached by such young attackers.

An 18-year-old from Oxford, Arion Kurtaj, was identified as a key member of the cybercrime gang Lapsus$, responsible for a series of high-profile hacks against major tech companies like Uber, Nvidia, and Rockstar Games. Notably, while on bail, Kurtaj leaked unreleased content from Grand Theft Auto 6. The Lapsus$ group utilized a mix of hacking techniques, SIM swapping, and social engineering to infiltrate these companies. (read more)

ā€œMaking 2-Step verification (2SV) mandatory for select enterprise administrators: Compromised administrator accounts can have an outsized impact, and 2SV can result in a 50% decrease in accounts being compromised. Starting later this year, in a phased approach, select administrator accounts of our resellers and largest enterprise customers will be required to add 2SV to their accounts to strengthen their security.

Requiring multi-party approval for sensitive administrator actions: Workspace administrators can require additional approval by another administrator to complete a sensitive action, such as changing 2SV settings for a user, to provide an extra layer of defense against malicious actions. This will be available in preview later this year.ā€

This is like the nuclear submarine needing two officers to turn the key at the same time to fire the torpedo. I like this trend that follows GitHubā€™s announcement we covered last week. (read more)

Funnily enough, after all the noise last week about Discord.io being a smaller company that was breached and not Discord itself - Discord itself notified impacted users of a data breach a few weeks ago. Another funny thing about this one is that Discordā€™s breach only impacted 180 people, according to the filing with the state of Maine. While the smaller Discord.io breach impacted nearly 800k users. (read more)

Web scraping has become more and more popular as various companies leave their APIs woefully unprotected and access to plenty of info worth collecting. In this case, some folks have found that a Duolingo API can be hit, and by feeding it millions of emails, folks have published a database of Duolingo accounts. This includes both public and nonpublic info for these registered users. After looking around on Twitter, it seems that this has been kicking around for a few months in OSINT circles (it is part of the https://osint.industries/ data) but is just making the news now. (read more)

Miscellaneous mattjay

Hmmm - Should I do a giveaway for Jasonā€™s next live training for subscribers?

Upcoming Appearances

Developers and Security are Friends Day - Tromzo

Full day training led by Jim Manico, James Wickett, Johnathan Kuskos, and Matt Johansen. September 5th. Register now!

tromzo.com/developers-and-security-are-friends-day

Extra Credit

Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay